IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Change access control scopes for dashboards, folders and data sources to be based on uid:s (#48397)

Browse Source 
* Change to uid based scopes
This commit is contained in:
Karl Persson 2022-04-28 14:25:20 +02:00 committed by GitHub
parent a7a5476ac2
commit 0c998a1fbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 128 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
docs/sources/enterprise/access-control/custom-role-actions-scopes.md
View File

@ -20,7 +20,7 @@ To learn more about the Grafana resources to which you can apply RBAC, refer to
The following list contains role-based access control actions.
| Action | Applicable scope | Description |
| ------------------------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| ------------------------------------ | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `alert.instances.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alerts and silences in data sources that support alerting. |
| `alert.instances.external:write` | `datasources:*`<br>`datasources:uid:*` | Manage alerts and silences in data sources that support alerting. |
| `alert.instances:create` | n/a | Create silences in the current organization. |
@ -34,36 +34,35 @@ The following list contains role-based access control actions.
| `alert.notifications:update` | n/a | Update templates, contact points, notification policies, and mute timings in the current organization. |
| `alert.rules.external:read` | `datasources:*`<br>`datasources:uid:*` | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
| `alert.rules.external:write` | `datasources:*`<br>`datasources:uid:*` | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
| `alert.rules:create` | `folders:*`<br>`folders:id:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:delete` | `folders:*`<br>`folders:id:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:read` | `folders:*`<br>`folders:id:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:update` | `folders:*`<br>`folders:id:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:create` | `folders:*`<br>`folders:uid:*` | Create Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:delete` | `folders:*`<br>`folders:uid:*` | Delete Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:read` | `folders:*`<br>`folders:uid:*` | Read Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `alert.rules:update` | `folders:*`<br>`folders:uid:*` | Update Grafana alert rules in a folder. Combine this permission with `folders:read` in a scope that includes the folder and `datasources:query` in the scope of data sources the user can query. |
| `annotations.create` | `annotations:*`<br>`annotations:type:*` | Create annotations. |
| `annotations.delete` | `annotations:*`<br>`annotations:type:*` | Delete annotations. |
| `annotations.read` | `annotations:*`<br>`annotations:type:*` | Read annotations and annotation tags. |
| `annotations.write` | `annotations:*`<br>`annotations:type:*` | Update annotations. |
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Read permissions for one or more dashboards. |
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Update permissions for one or more dashboards. |
| `dashboards:create` | `folders:*`<br>`folders:id:*` | Create dashboards in one or more folders. |
| `dashboards:delete` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Delete one or more dashboards. |
| `dashboards:edit` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Edit one or more dashboards (only in ui). |
| `dashboards:read` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Read one or more dashboards. |
| `dashboards:write` | `dashboards:*`<br>`dashboards:id:*`<br>`folders:*`<br>`folders:id:*` | Update one or more dashboards. |
| `datasources.id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:id:*` | List data source permissions. |
| `datasources.permissions:write` | `datasources:*`<br>`datasources:id:*` | Update data source permissions. |
| `dashboards.permissions:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read permissions for one or more dashboards. |
| `dashboards.permissions:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update permissions for one or more dashboards. |
| `dashboards:create` | `folders:*`<br>`folders:uid:*` | Create dashboards in one or more folders. |
| `dashboards:delete` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Delete one or more dashboards. |
| `dashboards:read` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Read one or more dashboards. |
| `dashboards:write` | `dashboards:*`<br>`dashboards:uid:*`<br>`folders:*`<br>`folders:uid:*` | Update one or more dashboards. |
| `datasources.id:read` | `datasources:*`<br>`datasources:uid:*` | Read data source IDs. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:uid:*` | List data source permissions. |
| `datasources.permissions:write` | `datasources:*`<br>`datasources:uid:*` | Update data source permissions. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:delete` | `datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Delete data sources. |
| `datasources:delete` | `datasources:*`<br>`datasources:uid:*` | Delete data sources. |
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources:query` | n/a<br>`datasources:*`<br>`datasources:id:*` | Query data sources. |
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
| `folders.permissions:write` | `folders:*`<br>`folders:id:*` | Update permissions for one or more folders. |
| `datasources:query` | `datasources:*`<br>`datasources:uid:*` | Query data sources. |
| `datasources:read` | `datasources:*`<br>`datasources:uid:*` | List data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:uid:*` | Update data sources. |
| `folers.permissions:read` | `folders:*`<br>`folders:uid:*` | Read permissions for one or more folders. |
| `folders.permissions:write` | `folders:*`<br>`folders:uid:*` | Update permissions for one or more folders. |
| `folders:create` | n/a | Create folders. |
| `folders:delete` | `folders:*`<br>`folders:id:*` | Delete one or more folders. |
| `folders:read` | `folders:*`<br>`folders:id:*` | Read one or more folders. |
| `folders:write` | `folders:*`<br>`folders:id:*` | Update one or more folders. |
| `folers.permissions:read` | `folders:*`<br>`folders:id:*` | Read permissions for one or more folders. |
| `folders:delete` | `folders:*`<br>`folders:uid:*` | Delete one or more folders. |
| `folders:read` | `folders:*`<br>`folders:uid:*` | Read one or more folders. |
| `folders:write` | `folders:*`<br>`folders:uid:*` | Update one or more folders. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.user:read` | n/a | Read users via LDAP. |
@ -136,11 +135,11 @@ The following list contains role-based access control actions.
The following list contains role-based access control scopes.
| Scopes | Descriptions |
| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `annotations:*`<br>`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
| `dashboards:*`<br>`dashboards:id:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:id:1` matches the dashboard whose ID is `1`. |
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |
| `folders:*`<br>`folders:id:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:id:1` matches the folder whose ID is `1`. |
| `dashboards:*`<br>`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. |
| `datasources:*`<br>`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. |
| `folders:*`<br>`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. |
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |

4
docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md
View File

@ -128,11 +128,11 @@ curl --location --request POST '<grafana_url>/api/access-control/roles/' \
"permissions": [
{
"action": "folders:read",
"scope": "folders:id:92"
"scope": "folders:uid:YEcBGYU22"
},
{
"action": "alert.rules:read",
"scope": "folders:id:92"
"scope": "folders:uid:YEcBGYU22"
},
{
"action": "datasources:query",